Spread of malware and other computer attacks has increased focus on network security. Malware may include viruses, worms, or other malicious code meant to disrupt network service, impair computer performance, open holes for intrusion, etc. Computer attacks may include flooding a server with traffic/requests and/or other actions to overload a server or network and cause a denial of service (DoS) attack.
Traditional approaches to mitigating malware have focused on preventing infection of networked machines. Antivirus software is typically concerned with recognizing viruses by examining software for particular known signatures. Recognized viruses can be quarantined and/or destroyed. Traditional malware protection suffers many limitations in that new viruses are able to spread unchecked until the virus can be analyzed for a signature, and antivirus definitions can be updated on each individual machine. This may require considerable time and effort. Those who do not take advantage of the almost constant updates are more vulnerable to attack by viruses that are not in the outdated definitions. Many new viruses are also adaptable, and alter themselves as they spread, causing difficulty for antivirus software.
Another approach is virus throttling, introduced by researchers of HP Laboratories Bristol. See, e.g., Jamie Twycross, Matthew M. Williamson, “Implementing and Testing a Virus Throttle,” Trusted Systems Laboratory, HP Laboratories Bristol, HPL-2003-103, May 21, 2003. The virus throttle approach recognizes that viruses typically spread by engaging in “abnormal” computer behavior, or behavior that is outside the expected norm of computer conduct. For example, an infected computer may attempt to establish many connections per second to increase the possibility of spreading. The virus throttle limits the number of new connections per second that can be made.
One limitation of the virus throttle described above is that the approach is specifically connection-based. Only new, outbound connections are restricted. The virus throttle as described does not protect connections that are already open, nor does it address inbound traffic. Thus, the described virus throttle is limited both in scope and flexibility.